I've spoken to glob about this offline; but just wanted to note: Our
fledgling 'Third Party Library Audit' project is planning on using
this metadata (even if the library itself isn't completely vendored)
for checking for security issues in upstream and auto-filing bugs.


On Mon, Apr 9, 2018 at 11:25 PM, glob <g...@mozilla.com> wrote:
> mozilla-central contains code vendored from external sources. Currently
> there is no standard way to document and update this code. In order to
> facilitate automation around auditing, vendoring, and linting we intend to
> require all vendored code to be annotated with an in-tree YAML file, and for
> the vendoring process to be standardised and automated.
> The plan is to create a YAML file for each library containing metadata such
> as the homepage url, vendored version, bugzilla component, etc. See
> https://goo.gl/QZyz4x for the full specification.
> We will work with teams to add moz.yaml files where required, as well as
> adding the capability for push-button vendoring of new revisions.
> Please address comments to the dev-platform list.
> --
> glob — engineering workflow — moz://a
> _______________________________________________
> firefox-dev mailing list
> firefox-...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
dev-platform mailing list

Reply via email to